Common Vulnerabilities and Exposures is the public identifier system used to label and track specific disclosed security vulnerabilities.
Common Vulnerabilities and Exposures, usually called CVE, is the public identifier system used to label specific disclosed security vulnerabilities. In plain language, a CVE number is the standardized name defenders use so everyone can talk about the same vulnerability clearly.
CVE matters because security work becomes chaotic when the same issue is described differently by every vendor, scanner, or team. A shared identifier makes it easier to compare advisories, search for evidence, coordinate remediation, and track whether a weakness affects your environment.
It also matters because vulnerability management depends on being able to map findings, patches, exploit reporting, and business risk discussions back to the same underlying issue.
CVE appears in vulnerability scanners, vendor advisories, patch bulletins, ticket queues, asset review, and Vulnerability Management programs. Teams connect CVE identifiers to Common Vulnerability Scoring System ratings, Vulnerability Scanner findings, Risk Assessment, and Common Weakness Enumeration references when a weakness pattern is also relevant.
Security teams often use CVE identifiers as the common thread that ties together external reporting and internal remediation.
A scanner reports that an internet-facing server is affected by a known web-server flaw and labels it with a CVE identifier. The infrastructure team uses that identifier to confirm vendor guidance, locate the patch, and track whether all affected hosts were remediated.
A CVE entry is not the same as a severity score. The identifier tells you which vulnerability is being discussed, while CVSS is one common way to describe severity.
It is also not proof that a vulnerability is exploitable in your environment. The real risk still depends on version, exposure, compensating controls, and system context.